From e8dbb049452e014fe89df34cb8f29e7c21c37666 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Mon, 30 Jan 2023 01:48:52 +0300 Subject: 2023-01-30 --- modules/nixos/bluetooth.nix | 2 ++ modules/nixos/common/ark.nix | 56 ++++++++++++++++++++++++++++++++ modules/nixos/common/default.nix | 1 + modules/nixos/common/networking.nix | 8 +++-- modules/nixos/common/nix.nix | 4 +-- modules/nixos/common/secrets.nix | 2 +- modules/nixos/common/security.nix | 12 ++++--- modules/nixos/common/systemd.nix | 6 ++++ modules/nixos/common/users.nix | 3 ++ modules/nixos/games/minecraft.nix | 64 +++++++++++++++++++++++++++++-------- modules/nixos/libvirtd.nix | 2 ++ modules/nixos/openssh.nix | 27 ++++++++++++++-- modules/nixos/profiles/default.nix | 3 ++ 13 files changed, 164 insertions(+), 26 deletions(-) create mode 100644 modules/nixos/common/ark.nix (limited to 'modules/nixos') diff --git a/modules/nixos/bluetooth.nix b/modules/nixos/bluetooth.nix index 8347361..cf92179 100644 --- a/modules/nixos/bluetooth.nix +++ b/modules/nixos/bluetooth.nix @@ -11,6 +11,8 @@ in { mkEnableOption "Bluetooth support"; config = mkIf cfg.enable { + ark.directories = ["/var/lib/bluetooth"]; + hardware.bluetooth = { enable = true; settings.General.FastConnectable = true; diff --git a/modules/nixos/common/ark.nix b/modules/nixos/common/ark.nix new file mode 100644 index 0000000..3a12050 --- /dev/null +++ b/modules/nixos/common/ark.nix @@ -0,0 +1,56 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.ark; +in { + imports = [ + (mkAliasOptionModule ["ark"] ["nixfiles" "modules" "ark"]) + inputs.impermanence.nixosModules.impermanence + ]; + + options.nixfiles.modules.ark = let + mkListOfAnythingOption = mkOption { + type = with types; listOf anything; # Assumed to be matching with the upstream type. + default = []; + }; + in { + enable = mkEnableOption "persistent storage support via impermanence"; + + path = mkOption { + type = types.str; + default = "/ark"; + }; + + directories = mkListOfAnythingOption; + files = mkListOfAnythingOption; + # hm = { + # directories = mkListOfAnythingOption; + # files = mkListOfAnythingOption; + # }; + }; + + config = mkIf cfg.enable { + environment.persistence.${cfg.path} = { + hideMounts = true; + enableDebugging = false; + inherit (cfg) directories files; + }; + + # NOTE We can't reliably[1] use this, so for the time being, this will stay + # commented out. Probably forever. + # + # [1]: https://github.com/nix-community/impermanence/issues/18 + # + # hm = { + # imports = [inputs.impermanence.nixosModules.home-manager.impermanence]; + # home.persistence."${cfg.path}/${config.my.home}" = { + # allowOther = false; + # inherit (cfg.hm) directories files; + # }; + # }; + }; +} diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix index 8724c8b..54f8f51 100644 --- a/modules/nixos/common/default.nix +++ b/modules/nixos/common/default.nix @@ -1,5 +1,6 @@ _: { imports = [ + ./ark.nix ./console.nix ./documentation.nix ./home-manager.nix diff --git a/modules/nixos/common/networking.nix b/modules/nixos/common/networking.nix index 0c44159..8d94a4e 100644 --- a/modules/nixos/common/networking.nix +++ b/modules/nixos/common/networking.nix @@ -12,6 +12,10 @@ in { mkEnableOption "custom networking settings"; config = mkIf (!cfg.onlyDefault) { + ark.directories = with config.networking; + optional networkmanager.enable "/etc/NetworkManager/system-connections" + ++ optional wireless.iwd.enable "/var/lib/iwd"; + # TODO Support multiple interfaces and IP addresses. networking = mkMerge [ { @@ -20,8 +24,8 @@ in { hostName = this.hostname; hostId = substring 0 8 (builtins.hashString "md5" this.hostname); - # Remove default hostname mappings. This is required at least by the current - # implementation of the montoring module. + # Remove default hostname mappings. This is required at least by the + # current implementation of the monitoring module. hosts = { "127.0.0.2" = mkForce []; "::1" = mkForce []; diff --git a/modules/nixos/common/nix.nix b/modules/nixos/common/nix.nix index 71f62fd..48c52b3 100644 --- a/modules/nixos/common/nix.nix +++ b/modules/nixos/common/nix.nix @@ -21,10 +21,10 @@ in { config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages; overlays = with inputs; [ - agenix.overlay + agenix.overlays.default + nix-minecraft.overlay pollymc.overlay xmonad-ng.overlays.default - # nix-minecraft-servers.overlays.default ]; }; diff --git a/modules/nixos/common/secrets.nix b/modules/nixos/common/secrets.nix index 4fcdc61..c229882 100644 --- a/modules/nixos/common/secrets.nix +++ b/modules/nixos/common/secrets.nix @@ -8,7 +8,7 @@ }: with lib; { imports = [ - inputs.agenix.nixosModule + inputs.agenix.nixosModules.default (mkAliasOptionModule ["secrets"] ["age" "secrets"]) ]; diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix index 09c5da1..d146cee 100644 --- a/modules/nixos/common/security.nix +++ b/modules/nixos/common/security.nix @@ -9,17 +9,21 @@ with lib; { enable = true; execWheelOnly = true; wheelNeedsPassword = false; - # https://mwl.io/archives/1000 extraConfig = '' - Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK" + Defaults lecture=never ''; }; polkit = { enable = true; - # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt extraConfig = '' - polkit.addRule(function (action, subject) { + /* + * Allow members of the wheel group to execute any actions + * without password authentication, similar to "sudo NOPASSWD:". + * + * https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt + */ + polkit.addRule(function(action, subject) { if (subject.isInGroup('wheel')) return polkit.Result.YES; }); diff --git a/modules/nixos/common/systemd.nix b/modules/nixos/common/systemd.nix index 5c7282d..c1b2539 100644 --- a/modules/nixos/common/systemd.nix +++ b/modules/nixos/common/systemd.nix @@ -1,4 +1,10 @@ {pkgs, ...}: { + ark = { + # FIXME Enable on a fresh system! + # files = ["/etc/machine-id"]; + directories = ["/var/lib/systemd/coredump"]; + }; + hm.systemd.user.startServices = "sd-switch"; services.journald.extraConfig = '' diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix index 22e8023..400bf33 100644 --- a/modules/nixos/common/users.nix +++ b/modules/nixos/common/users.nix @@ -1,5 +1,8 @@ {lib, ...}: with lib; { + # TODO Enable on a fresh system. + # ark.directories = [config.my.home]; + users = { mutableUsers = false; diff --git a/modules/nixos/games/minecraft.nix b/modules/nixos/games/minecraft.nix index 7b21195..09b9239 100644 --- a/modules/nixos/games/minecraft.nix +++ b/modules/nixos/games/minecraft.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, pkgs, ... @@ -7,11 +8,19 @@ with lib; let cfg = config.nixfiles.modules.games.minecraft; in { + imports = [inputs.nix-minecraft.nixosModules.minecraft-servers]; + options.nixfiles.modules.games.minecraft = { client.enable = mkEnableOption "Minecraft client"; server = { enable = mkEnableOption "Minecraft server"; + port = mkOption { + description = "OpenSSH server port."; + type = types.port; + default = 50505; # Keeping 25565 as the default is a big security risk. + }; + memory = mkOption { description = "Amount of RAM to allocate."; type = types.str; @@ -25,26 +34,53 @@ in { hm.home.packages = with pkgs; [prismlauncher]; }) (mkIf cfg.server.enable { - # Configurations, opslist, whitelist and plugins are managed imperatively. - # TODO Make it declarative. - services.minecraft-server = { + nixfiles.modules.common.nix.allowedUnfreePackages = ["minecraft-server"]; + + ark.directories = [config.services.minecraft-servers.dataDir]; + + services.minecraft-servers = { enable = true; eula = true; - package = pkgs.minecraftServers.purpur_1_19_3; + openFirewall = true; + + servers.default = { + enable = true; + autoStart = true; + + package = pkgs.paperServers.paper-1_19_3; + + serverProperties = { + # motd = ""; + # white-list = true; + allow-flight = true; + difficulty = "hard"; + enable-command-block = true; + enforce-secure-profile = false; + enforce-whitelist = true; + gamemode = "survival"; + level-name = "default"; + max-players = 8; + online-mode = false; + previews-chat = false; + pvp = false; + server-port = cfg.server.port; + snooper-enabled = false; + }; + + whitelist = {}; # TODO Fill this. - # TODO Make a PR fixing trailing whitespace on this. - jvmOpts = - (concatStringsSep " " [ - "-Xmx${cfg.server.memory}" - "-Xms${cfg.server.memory}" - "--add-modules=jdk.incubator.vector" - ]) - + " "; + jvmOpts = + (concatStringsSep " " [ + "-Xms${cfg.server.memory}" + "-Xmx${cfg.server.memory}" + "--add-modules=jdk.incubator.vector" # Required by some plugins. + ]) + + " "; + }; }; - # Defined in /var/lib/minecraft/server.properties. - networking.firewall.allowedTCPPorts = [55565]; + my.extraGroups = [config.services.minecraft-servers.group]; }) ]; } diff --git a/modules/nixos/libvirtd.nix b/modules/nixos/libvirtd.nix index 58dfc50..a246c98 100644 --- a/modules/nixos/libvirtd.nix +++ b/modules/nixos/libvirtd.nix @@ -10,6 +10,8 @@ in { options.nixfiles.modules.libvirtd.enable = mkEnableOption "libvirtd"; config = mkIf cfg.enable { + ark.directories = ["/var/lib/libvirt"]; + hm.home.packages = with pkgs; [ qemu-utils quickemu diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix index 36b85f8..0cd44bd 100644 --- a/modules/nixos/openssh.nix +++ b/modules/nixos/openssh.nix @@ -18,15 +18,36 @@ in { }; config = mkIf cfg.server.enable { + # TODO Enable on a fresh system. + # ark = { + # files = [ + # "/etc/ssh/ssh_host_ed25519_key" + # "/etc/ssh/ssh_host_ed25519_key.pub" + # "/etc/ssh/ssh_host_rsa_key" + # "/etc/ssh/ssh_host_rsa_key.pub" + # ]; + # directories = ["/etc/ssh/authorized_keys.d"]; + # }; + programs.mosh.enable = true; services = { openssh = { enable = true; ports = [cfg.server.port]; - logLevel = "VERBOSE"; # Required by fail2ban. - permitRootLogin = mkForce "no"; - passwordAuthentication = false; + settings = { + AllowUsers = my.username; + ClientAliveCountMax = 3; + ClientAliveInterval = 60; + KbdInteractiveAuthentication = false; + LogLevel = + if config.nixfiles.modules.fail2ban.enable + then "VERBOSE" + else "ERROR"; + MaxAuthTries = 3; + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; }; fail2ban.jails.sshd = '' diff --git a/modules/nixos/profiles/default.nix b/modules/nixos/profiles/default.nix index d5ab838..23eb455 100644 --- a/modules/nixos/profiles/default.nix +++ b/modules/nixos/profiles/default.nix @@ -15,6 +15,9 @@ in { ]; config = mkIf cfg.enable { + # FIXME Enable on a fresh system! + # ark.directories = ["/var/log"]; + programs.less = { enable = true; envVariables.LESSHISTFILE = "-"; -- cgit 1.4.1